Always Look for Expert Guidance for Compliance With PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is probably the only standard that provides the control requirements for protecting cardholder information and a useful control framework for maintaining and enhancing security within the payment card industry. It covers almost all domains, spreading over application and network security to encryption and tokenization, along with non-IT controls related to human resources and physical security.

With the release of PCI DSS v2.0, there is a lot of talk in the air, with most people questioning whether it is worth calling the version “v2.0” instead of “v1.2.1” or “v1.3.” I would put it another way: This version was much needed to provide the clarification and justification for the existing control requirements, and I do agree that there are no major changes, just a couple of new requirements. Questions regarding version numbering are not that relevant.

However, some of the PCI controls are loosely documented, and hence, IT and security teams will have to make their best assumptions and use their judgment while implementing and complying with PCI controls.

According to a survey conducted by Infosecurity (UK), almost 30 percent of IT directors/managers of major retailers in the UK are either unaware—or only partially aware—of the PCI DSS v2.0 security standard’s requirements. More than 41 percent of merchants rely on compensating controls, which can be temporary fixes to achieve compliance. We have seen organizations that are compliant suffer from breaches, which only means compliance should not be a point-in-time task, but an ongoing program.

In addition, with the lack of awareness and increasing PCI DSS compliance cost, organizations may not completely or correctly understand the PCI controls and, hence, may seek the support of a qualified security assessor (QSA) for guidance. Also, COBIT or ISO/IEC 27001:2005, Information technology—Security techniques—Information security management systems—Requirements, can be used as a reference while implementing PCI DSS. A detailed control mapping between PCI DSS controls and COBIT controls are provided in the article “Mapping PCI DSS v2.0 With COBIT 4.1.”